Safe & Sound Blog Feed

Our Safe & Sound blog provides a practical, business-focused discussion of the legal issues relating to the privacy and security of their data. This blog will keep clients and potential clients aware of current events, news, and legislation in this area.

OCR Will Increase Focus on Smaller Breaches
Entities with smaller breaches hoping to fly under the radar may be out of luck. On August 18, the Office for Civil Rights (OCR) announced its intention to more widely investigate breaches affecting less than 500 individuals. Specifically, OCR will instruct its Regional Offices to increase efforts to identify and obtain corrective action from entities with breaches affecting fewer than 500 individuals. Previously, OCR’s Regional Offices focused their attention on investigating all reported breaches involving the PHI of 500 or...More

TXT U L8R: Should Your Physician Be Texting Orders?
Many a health lawyer has been struggling with how to communicate the U-turn-laden road of whether hospitals should allow physicians to text orders. The bottom line is: NOT YET. One way to summarize the The Joint Commission’s (TJC) position on texting orders is:
Up until 2011: “What is texting?”
2011: “No texting!”
May 2016: “You will be able to text—just hang on!”
July 2016: “No, no, no, you cannot text until you get guidance from us, along with our good friends at the Centers...More

Does Your Company Meet Privacy Shield Protection Criteria?As of August 1, the US-EU Privacy Shield is up and running. Companies transferring personal data (e.g., employee data, customer data, etc.) from the EU to the U.S. can now register with the U.S. Department of Commerce provided that they meet the requisite protection criteria. Registration under the Privacy Shield certifies that the transfer of the personal data does not run afoul of the EU rules which generally prohibit the transfer of such personal data to the U.S.
As you will recall,...More

EU Regulators Allow One-Year Test of Privacy Shield
The long-awaited US-EU Privacy Shield—the successor to the US-EU Safe Harbor which was declared invalid—is set to kick in on August 1, 2016. (See our July 8 post for detail.) One of the reasons it took so long to put the Privacy Shield in place was the opposition it encountered from consumer groups and the data protection authorities of the EU member states (i.e., the Article 29 Working Group). The Article 29 Working Group called the Privacy Shield inadequate and not in...More

New, Stringent Cyber Supply Chain Standard Under Development
Just last week, the Federal Energy Regulatory Commission or “FERC” moved closer to regulating the supply chain management practices for energy companies that own and operate the physical assets that comprise the nation’s power grid. Specifically, on July 21, FERC directed the North American Electric Reliability Corporation or “NERC” to issue a new supply chain management standard that addresses risks to information systems and related bulk electric system assets.
By way of background, the Energy Policy Act of 2005 required FERC...More

New Guidance Released by OCR on Ransomware
In light of the increasing number of high-profile ransomware attacks that have recently occurred and the threat these attacks pose to the health care industry in particular, the Office for Civil Rights (“OCR”) released guidance on July 11, 2016 regarding ransomware and HIPAA. This guidance outlines activities required by HIPAA that will assist entities in proactively preventing and efficiently responding to ransomware attacks. For example, the guidance addresses:
Implementing a security management process, including conducting a risk analysis and mitigating identified...More

New EU Privacy Shield ApprovedIn October 2015, the European Court of Justice declared the EU-U.S. Data Privacy Safe Harbor invalid. For the 200+ U.S. companies which had relied on the Safe Harbor to transfer personal data from the EU to the U.S., this meant that such transfers were no longer legal. The U.S. and the EU almost immediately started working on a successor mechanism to replace the invalid Safe Harbor. In the meantime, however, the national data protection authorities of the EU member states...More

Don’t Expose Your ePHI by Using Vulnerable Third-Party ApplicationsCovered entities (CEs) and business associates (BAs) beware—third-party application software security vulnerabilities are on the rise, according to the Health & Human Services (HHS) Office for Civil Rights in Action. In June 2016, the HHS Office for Civil Rights in Action published a newsletter reminding HIPAA CEs and BAs about the risks inherent in third-party application software and describing how CEs and BAs can secure their systems to mitigate vulnerabilities.
What is third-party application software?
Third-party application software is a program that is...More

Data Breach Costs Rise to $4 Million Globally, $7 Million in the U.S.According to the Ponemon Institute 2016 Cost of Data Breach Study (sponsored by IBM), the total cost a company should expect to spend in response to a data breach has once again increased both globally and in the United States. The average cost paid for each lost or stolen record containing sensitive and confidential information is also on the rise.
Globally, the average total cost of a data breach for the 383 companies participating in the study increased from $3.79 million...More